As the cybercrime industry continues to provide us with new Malware as a Service (MaaS) products, we have become used to seeing the operators advertising and developing the panels underground.
Over the past year, an allegedly legitimate software company named Venom Control Software emerged, offering a Remote-Access-Tool (RAT) for “hackers and pen-testers”. When observing its product, the payment methods, and other services, one can wonder if the platform’s clients are mainly hackers rather than pen-testers.
A recent leak of the Venom Control product gave us an opportunity to see how the fairly professional RAT operates.
Services and Pricing
Venom Control currently offers three different plans (Figure 2), while the pricing changes depending on the supported features and subscription period, starting from $150 USD and up to $350, paid with cryptocurrency.
Venom RAT is packed with a great number of features related to anonymity, data exfiltration, CNC connectivity and stealth.
One of the more advanced techniques Venom uses is the HVNC, which is a unique stealth technique used by some trojans and other spywares. This technique allows malicious software to stay hidden by creating a new desktop on the victim’s machine and performing the malware’s actions there. The new desktop is hidden as well, which also helps the malware become even more undetected by the victim. Other known spyware such as BitRAT and BrataRAT also apply this technique.
In addition, Venom RAT supports remote system features such as file management, persistence, remote shell, registry editor, mic recording, loading another malware, password recovery, and much more.
A “Remote Fun” set of features is also available, which offers more “childish” capabilities such as hiding the mouse, clock, start button, turning the monitor on and off, etc.
As mentioned, the RAT has great stealth capabilities such as disabling Windows Defender, anti-kill, start-up persistence, and encrypted connection with its C2.
Finally, Venom RAT is also packed with information stealing capabilities such as key-logging, crypto wallet theft, and password recovery from various browsers such as Chrome, Edge, Opera, Yandex and more.
Throughout the past year, we have seen the Venom Control Group investing a lot in promoting their product on several platforms and in many forums.
The group advertises itself on dark web forums, publishes demo videos on Vimeo, and like most malware groups, maintains a Telegram channel with thousands of followers used to communicate with their clients.
As with the recently introduced Atlas Intelligence Group (A.I.G) , Venom Control also carries out all of their transactions through the Sellix.io platform, where they’ve opened an online store (Figure 3).
Using the Sellix.io platform is nothing new when it comes to underground sellers. The platform acts as a middleman, helping to both secure the cryptocurrency payment, and provide anonymity to the buyer and the seller.
In addition to Sellix.io, Venom Control also sells its products using Escrow, another middleman service for individuals who want to secure a deal, which gives the buyer peace of mind. In a case where the Venom Group doesn’t deliver, the client will receive a refund from Escrow.
Given the fact that Venom Control offers two different buying platforms, both favoring the buyers, we can conclude the group has great confidence in its product and the high quality customer service.
The creators of the Venom Control group previously advertised another service named KGB Crypter (Figure 4). The group sells packers used for obfuscating malicious executables and custom-made loaders.
The KGB Crypter is advertised on a dedicated website, which is also on the clear web, as well as on a dedicated channel with thousands of followers already (Figure 5).
The Venom control panel is straightforward. It includes some basic information such as the victim’s IP, location, username, operating system, etc (Figure 6).
A threat actor who uses the panel will also be able to set automatic tasks for the trojan to run on the victim’s machine and see the execution logs in real-time.
In addition, it also provides built-in tutorial videos, guides, links to support via Telegram, and a builder (Figure 7), which supports disabling firewalls, setting dynamic C2 ports, domains, etc.
Unlike other trojans, the Venom Control group does not provide the C2 infrastructure, but it does provide the packer and live updates for the samples, along with highly professional customer support and a user-friendly interface, which seems to be very appealing to entry-level threat actors.
As the RAT market becomes more mainstream than ever, and as we see a proliferation of espionage and trojan-related campaigns daily, the fine line between a Remote-Access-Tool and Remote-Access-Trojan has become blurry.
The question that remains is when does a tool become a trojan in the eyes of the authorities and regulations?
Venom Control is a software company that seems to be innocent as they deny any responsibility for the product that they are offering, but when observing the capabilities and techniques this tool offers, along with the payment methods they accept, it is pretty obvious which crowd they are aiming at.